Add headers to 4xx and 5xx when enabling CORS

[honglu]

Description:

When using SAM to add CORS support to API GW, it works well for 2xx errors. According to API GW doc, the Lambda function is responsible to return the Access-Control-Allow-Origin header. However, in the case when API GW returns 4xx (access denied or input validation failure etc.) or 5xx directly without going through the integrated Lambda function, this header is missing. In order to make this work for 4xx and 5xx, I have to add the following in my swagger:

x-amazon-apigateway-gateway-responses:
  DEFAULT_4XX:
    responseParameters:
      gatewayresponse.header.Access-Control-Allow-Origin: "'*'"
  DEFAULT_5XX:
    responseParameters:
      gatewayresponse.header.Access-Control-Allow-Origin: "'*'"

It would be nice if SAM can add these to the swagger if I add cors in AWS::Serverless::Api resource.

[praneetap]

@honglu thanks for reporting the issue! This change would go here where we add gateway responses if the Access-Control-Allow-Origin property is set. To add gateway responses you would need to call this

[mildaniel]

I don't think that this is necessarily something that we want to do by default. The risk is making existing APIs unintentionally more permissible in cases where users don't want or already have these headers set. The safest approach is for users to set these gateway responses when required.

[seemantk-schweitzer]

please excuse the newbie question here: I just recently added the Cors options to my apigateway resource in a SAM template. How would I go about enabling the 4xx and 5xx responses to also send the cors headers in the current state of things?

[mildaniel]

Hi @seemantk-schweitzer. You'll want to set the x-amazon-apigateway-gateway-responses. You can find more information about it here.

[sdsa-cci]

@seemantk-schweitzer I know I'm a bit late, but the official documentation to what you were looking for is here.

template.yml snippet.

Resources:
  MyApi:
    Type: AWS::Serverless::Api
    Properties:
      StageName: Prod
      GatewayResponses:
        DEFAULT_4xx:
          ResponseParameters:
            Headers:
              Access-Control-Expose-Headers: "'WWW-Authenticate'"
              Access-Control-Allow-Origin: "'*'"

  GetFunction:
    Type: AWS::Serverless::Function
    Properties:
      Handler: index.get
      Runtime: nodejs12.x
      InlineCode: module.exports = async () => throw new Error('Check out the response headers!')
      Events:
        GetResource:
          Type: Api
          Properties:
            Path: /error
            Method: get
            RestApiId: !Ref MyApi